==== Intalação do BIND no CentOS 7 ====
==== Ajuntes iniciais ====
Hostname
# cat /etc/hostname
ns1.laboratorio.com.br
Configuração de rede
# ip addr show
1: lo: mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 08:00:27:a0:82:1b brd ff:ff:ff:ff:ff:ff
inet 192.0.2.100/24 brd 192.0.2.255 scope global enp0s3
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:fea0:821b/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
3: enp0s8: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 08:00:27:b4:dd:d7 brd ff:ff:ff:ff:ff:ff
inet6 2001:db8:cafe::100/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::a00:27ff:feb4:ddd7/64 scope link
valid_lft forever preferred_lft forever
Instalação do bind
# yum install bind bind-utils bind-chroot
Alterando o resolv.conf
# cat /etc/resolv.conf
nameserver 127.0.0.1
Inutando o resolv.conf para não sofrer alterações
# chattr +i /etc/resolv.conf
Preparando o diretório chroot
# /usr/libexec/setup-named-chroot.sh /var/named/chroot on
# mount | egrep chroot
/dev/sda2 on /var/named/chroot/etc/named type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/sda2 on /var/named/chroot/etc/named.root.key type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/sda2 on /var/named/chroot/etc/named.conf type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/sda2 on /var/named/chroot/etc/named.rfc1912.zones type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/sda6 on /var/named/chroot/usr/lib64/bind type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/sda2 on /var/named/chroot/etc/named.iscdlv.key type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
tmpfs on /var/named/chroot/run/named type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
/dev/sda3 on /var/named/chroot/var/named type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
# ls /var/named/chroot/etc/
localtime named named.conf named.iscdlv.key named.rfc1912.zones named.root.key pki
Contextos SElinux
# ls -lZ /var/named/chroot/etc/
-rw-r--r--. root root unconfined_u:object_r:locale_t:s0 localtime
drwxr-x---. root named system_u:object_r:etc_t:s0 named
-rw-r-----. root named system_u:object_r:named_conf_t:s0 named.conf
-rw-r--r--. root named system_u:object_r:etc_t:s0 named.iscdlv.key
-rw-r-----. root named system_u:object_r:named_conf_t:s0 named.rfc1912.zones
-rw-r--r--. root named system_u:object_r:etc_t:s0 named.root.key
drwxr-x---. root named system_u:object_r:cert_t:s0 pki
Iniciando e ativando os serviços
# systemctl start named-chroot.service
# systemctl enable named-chroot.service
ln -s '/usr/lib/systemd/system/named-chroot.service' '/etc/systemd/system/multi-user.target.wants/named-chroot.service'
Verificando os serviços
# systemctl status named-chroot.service
named-chroot.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled)
Active: active (running) since Sex 2015-06-12 13:09:36 BRT; 3min 56s ago
Main PID: 12982 (named)
CGroup: /system.slice/named-chroot.service
└─12982 /usr/sbin/named -u named -t /var/named/chroot
[...]
# ss -nat | egrep 53
LISTEN 0 10 127.0.0.1:53 *:*
LISTEN 0 128 127.0.0.1:953 *:*
LISTEN 0 10 ::1:53 :::*
LISTEN 0 128 ::1:953 :::*
# ps -ef | egrep named
named 12982 1 0 13:09 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot
root 16719 2204 0 13:14 pts/0 00:00:00 grep -E --color=auto named
==== Cinfiguração ====
# cat /etc/named.conf
acl "ipv4" { 127.0.0.1; 192.0.2.100; };
acl "ipv6" { ::1; 2001:db8:cafe::100; };
acl "lan" { 192.0.2.0/24; 198.50.100.0/24; 2001:db8:cafe::/64; };
options {
listen-on port 53 { ipv4; };
listen-on-v6 port 53 { ipv6; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-query-cache { ipv4; ipv6; lan; };
recursive-clients 3000;
tcp-clients 2000;
max-cache-size 256M;
version none;
server-id none;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
/*
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
*/
logging {
channel default_syslog {
syslog local2;
severity debug;
};
channel audit_log {
file "data/named.run";
severity debug;
print-time yes;
};
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { audit_log; };
};
include "/etc/named/named_zones.conf";
Observe com colocamos um "include" (include "/etc/named/named_zones.conf";) no fim do arquivo, isso por que queremos as zonas separada do arquivo principal (named.conf).
# cat /etc/named/named_zones.conf
view "publico" {
match-clients { !lan; !ipv4; !ipv6; any; };
recursion no;
zone "laboratorio.com.br" IN {
type master;
file "publico/laboratorio.db";
};
zone "113.0.203.in-addr.arpa" IN {
type master;
file "publico/113-0-203.db";
};
};
view "lan" {
match-clients { lan; };
recursion yes;
zone "." IN {
type hint;
file "named.ca";
};
zone "laboratorio.com.br" IN {
type master;
file "lan/laboratorio.db";
};
zone "2.0.192.in-addr.arpa" IN {
type master;
file "lan/2-0-192.db";
};
zone "e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa" IN {
type master;
file "lan/2001-db8-cafe.db";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
# chcon -u system_u -t named_conf_t named_zones.conf
# chown root:named named_zones.conf
Rsyslog
# vim /etc/rsyslog.conf
[...]
local2.* /var/log/named.log
# cd /var/named/
# mkdir lan
# mkdir publico
# chmod named:named -R lan
# chown named:named -R lan
# chown named:named -R publico
# chcon -u system_u -t named_cache_t lan
# chcon -u system_u -t named_cache_t publico
==== Zona direta lan ====
# cat /var/named/lan/laboratorio.db
$TTL 172800
@ IN SOA ns1.laboratorio.com.br. hostmaster.laboratorio.com.br. (
2015071001 ; serial
3600 ; refresh
3600 ; retry
3600 ; expire
900 ) ; minimum
;; Servidores DNS que respondem por esta zona
@ IN NS laboratorio.com.br.
@ IN NS ns1.laboratorio.com.br.
@ IN MX 10 mail.laboratorio.com.br.
;
; SPF
IN TXT "v=spf1 a mx ip4:192.0.2.240 ip6:2001:db8:cafe::240 -all"
IN SPF "v=spf1 a mx ip4:192.0.2.240 ip6:2001:db8:cafe::240 -all"
;
ns1.laboratorio.com.br. IN A 192.0.2.100
IN AAAA 2001:db8:cafe::100
;
mail.laboratorio.com.br. IN A 192.0.2.240
IN AAAA 2001:db8:cafe::240
imap.laboratorio.com.br. IN CNAME mail
smtp.laboratorio.com.br. IN CNAME mail
pop.laboratorio.com.br. IN CNAME mail
;
@ IN A 192.0.2.50
IN AAAA 2001:db8:cafe::50
www.laboratorio.com.br. IN CNAME @
# chcon -u system_u -t named_zone_t /var/named/lan/laboratorio.db
# chown root:named /var/named/lan/laboratorio.db
# named-checkzone laboratorio.com.br /var/named/lan/laboratorio.db
zone laboratorio.com.br/IN: loaded serial 2015071001
OK
==== Zona reversa lan ipv4 ====
# cat /var/named/lan/2-0-192.db
$TTL 172800
@ IN SOA ns1.laboratorio.com.br. hostmaster.laboratorio.com.br. (
2015100501 ; serial
3600 ; refresh
3600 ; retry
3600 ; expire
900 ) ; minimum
;; Servidores DNS que respondem por esta zona reverso
@ IN NS ns1.laboratorio.com.br.
;
200 IN PTR ns1.laboratorio.com.br.
240 IN PTR mail.laboratorio.com.br.
# chcon -u system_u -t named_zone_t /var/named/lan/2-0-192.db
# chown root:named /var/named/lan/2-0-192.db
# named-checkzone 2.0.192.in-addr.arpa /var/named/lan/2-0-192.db
zone 2.0.192.in-addr.arpa/IN: loaded serial 2015100501
OK
==== Zona reversa ipv6 ====
# cat 2001-db8-cafe.db
$TTL 172800
@ IN SOA ns1.laboratorio.com.br. hostmaster.laboratorio.com.br. (
2015100501 ; serial
3600 ; refresh
3600 ; retry
3600 ; expire
900 ) ; minimum
;; Servidores DNS que respondem por esta zona reverso
@ IN NS ns1.laboratorio.com.br.
;
0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ns1.laboratorio.com.br.
0.4.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR mail.laboratorio.com.br.
# chcon -u system_u -t named_zone_t /var/named/lan/2001-db8-cafe.db
# chown root:named /var/named/lan/2001-db8-cafe.db
# named-checkzone e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa /var/named/lan/2001-db8-cafe.db
zone e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa/IN: loaded serial 2015100501
OK
==== Zona publica ====
# cat /var/named/publico/laboratorio.db
$TTL 172800
@ IN SOA ns1.laboratorio.com.br. hostmaster.laboratorio.com.br. (
2015100501 ; serial
3600 ; refresh
3600 ; retry
3600 ; expire
900 ) ; minimum
;; Servidores DNS que respondem por esta zona
@ IN NS laboratorio.com.br.
@ IN NS ns1.laboratorio.com.br.
@ IN MX 10 mail.laboratorio.com.br.
;
; SPF
IN TXT "v=spf1 a mx ip4:203.0.113.240 -all"
IN SPF "v=spf1 a mx ip4:203.0.113.240 -all"
;
ns1.laboratorio.com.br. IN A 203.0.113.100
mail.laboratorio.com.br. IN A 203.0.113.240
;
@ IN A 203.0.113.50
www.laboratorio.com.br. IN CNAME @
# chcon -u system_u -t named_zone_t /var/named/publico/laboratorio.db
# chown root:named /var/named/publico/laboratorio.db
# named-checkzone laboratorio.com.br /var/named/publico/laboratorio.db
zone laboratorio.com.br/IN: loaded serial 2015100501
OK
==== Zona reversa publica ====
# cat /var/named/publico/113-0-203.db
$TTL 172800
@ IN SOA ns1.laboratorio.com.br. hostmaster.laboratorio.com.br. (
2015100501 ; serial
3600 ; refresh
3600 ; retry
3600 ; expire
900 ) ; minimum
;; Servidores DNS que respondem por esta zona reverso
@ IN NS ns1.laboratorio.com.br.
;
100 IN PTR ns1.laboratorio.com.br.
240 IN PTR mail.laboratorio.com.br.
# chcon -u system_u -t named_zone_t /var/named/publico/113-0-203.db
# chown root:named /var/named/publico/113-0-203.db
# named-checkzone 113.0.203.in-addr.arpa /var/named/publico/113-0-203.db
zone 113.0.203.in-addr.arpa/IN: loaded serial 2015100501
OK
# systemctl restart rsyslog.service
# systemctl reload named-chroot.service
# firewall-cmd --permanent --add-service=dns
success
# firewall-cmd --reload
success
==== Testes ====
# dig -t A +short laboratorio.com.br
192.0.2.50
# dig -t AAAA +short laboratorio.com.br
2001:db8:cafe::50
# dig -t MX +short laboratorio.com.br
10 mail.laboratorio.com.br.
# dig +short mail.laboratorio.com.br
192.0.2.240
# dig +short -x 192.0.2.240
mail.laboratorio.com.br.
# dig -t TXT +short laboratorio.com.br
"v=spf1 a mx ip4:192.0.2.240 ip6:2001:db8:cafe::240 -all"
# dig @localhost laboratorio.com.br
; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> @localhost laboratorio.com.br
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7445
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;laboratorio.com.br. IN A
;; ANSWER SECTION:
laboratorio.com.br. 172800 IN A 192.0.2.50
;; AUTHORITY SECTION:
laboratorio.com.br. 172800 IN NS ns1.laboratorio.com.br.
laboratorio.com.br. 172800 IN NS laboratorio.com.br.
;; ADDITIONAL SECTION:
laboratorio.com.br. 172800 IN AAAA 2001:db8:cafe::50
ns1.laboratorio.com.br. 172800 IN A 192.0.2.100
ns1.laboratorio.com.br. 172800 IN AAAA 2001:db8:cafe::100
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Seg Out 05 22:17:29 BRT 2015
;; MSG SIZE rcvd: 167